qcacmn: Fix buffer overflow in fill_ieee80211_hdr_data

Currently variable pl_msdu_info->num_msdu is from message, and is used directly as array size. This may cause buffer overflow. To address this issue add qdf_assert check. Change-Id: Ice78633314b321243136ce4987c633e1201d3cb8 CRs-Fixed: 2187441
2018-02-09 18:19:49 +05:30
parent 1b50fdc451
commit 337c5c6ada
1 changed files with 7 additions and 0 deletions
--- a/utils/pktlog/pktlog_internal.c
+++ b/utils/pktlog/pktlog_internal.c
@@ -280,6 +280,13 @@ fill_ieee80211_hdr_data(struct cdp_pdev *pdev,
 	pl_msdu_info->priv_size = sizeof(uint32_t) *
 				 pl_msdu_info->num_msdu + sizeof(uint32_t);

+	if (pl_msdu_info->num_msdu > MAX_PKT_INFO_MSDU_ID) {
+		QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
+			  "%s: Invalid num_msdu count",
+			  __func__);
+		qdf_assert(0);
+		return;
+	}
 	for (i = 0; i < pl_msdu_info->num_msdu; i++) {
 		/*
 		 * Handle big endianness